Facebook sees 600,000 compromised logins per day—0.06% of all logins

Facebook has released a statistic showing that fewer than one-tenth of one …

Facebook has released a statistic showing that fewer than one-tenth of one percent of logins into the social network are compromised. But since more than 1 billion Facebook logins occur each day, that could add up to 600,000 breaches every 24 hours.

Specifically, an infographic in an official Facebook post introducing new security tools states that “Only .06 percent of over 1 billion logins per day are compromised.” Security firm Sophos was intrigued enough by that statistic to post its own analysis.

“Put another way, that's more than 600,000 per day—or, if you really like to make your mind melt, one every 140 milliseconds,” Sophos technology consultant Graham Cluley writes. “If an unauthorized party has logged into your Facebook account, then you're far from alone.”

One thing we don’t know is how many accounts are actually compromised. Naturally, a single compromised account could have many unauthorized logins in a single day. Facebook claims 750 million active users, with half that number logging on each day.

Also, how Facebook defines a compromised account is not detailed. Cluley writes, “My deduction is that Facebook is talking about the phenomenon of users' accounts being accessed by spammers, and used to send messages out to their online pals. That's what I would call a ‘compromised account,' and that's the 600,000+ a day I suspect.”

UPDATE: We contacted Facebook a few hours before this article was published, and have just received a response attributed to a Facebook spokesperson. Facebook acknowledged blocking roughly 600,000 logins per day, but argued that many of the compromised accounts are somehow compromised off of Facebook. "There may be compromised accounts that appear on Facebook, but more often than not they are compromised off of Facebook—they use the same password for email as Facebook, they get phished, etc.," Facebook said. In the data released this week, the word "compromised" is in reference to "logins where we are not absolutely confident that the account's true owner is accessing the account and we either preemptively or retroactively block access."

While many Facebook users see occasional spam pop up in their news feeds, Facebook says on a percentage basis its spam blockers are doing a bang-up job. While 89.1 percent of e-mail is spam, less than four percent of Facebook content is spam and only one-half of one percent of users see spam on any given day, the company says:

Facebook is trying to cut that number further, or at least prevent it from rising, with two new tools that will be tested in the “coming weeks.” One is called “Trusted Friends,” and lets you select three to five friends who can help if you ever have trouble accessing your account. Facebook compares it to leaving a house key with a friend.

“If you forgot your password and need to login but can't access your email account, you can rely on your friends to help you get back in,” Facebook said. “We will send codes to the friends you have selected and they can pass along that information to you.”

Another new feature targets spam issued from third-party applications by letting users select unique passwords for applications they’ve authorized to interact with their Facebook accounts.

“There are tons of applications you can use by logging in with your Facebook credentials,” the company notes. “However, in some cases, you may want to have a unique password for that application. This is especially helpful if you have opted into Login Approvals, for which security codes don't always work when using third party applications.”

App Passwords is already live for at least some users, as I was able to locate it under security settings in my own account. Trusted Friends doesn’t seem to have gone live yet.

This is pretty important, though if the analyst is correct and the definition is a baseline, "Account that has had spam sent from it", the number of false positives is probably really low. That would suggest that the real number of compromised accounts is actually more than 600 000.

The apps password sounds like a good idea, the Trusted Friends is also interesting. Some of the recent changes have made most of FacistBook's settings difficult for the average user. How about a "Explain WTF this is?" app?

Most spammy posts I've seen on Facebook were through viral 'clickjacks', where clicking on a link promising some awesome/titillating video or pic sends you to a redirect/javascript magic place which then reposts the same link on all your friends' walls using your web browser and session. The security (password) isn't really compromised unless it also delivers some kind of OS trojan or worm, but it does have unintended (and maybe embarrassing) consequences for the unwary user.

“If you forgot your password and need to login but can't access your email account, you can rely on your friends to help you get back in,” Facebook said. “We will send codes to the friends you have selected and they can pass along that information to you.”

Maybe my Newspeak is a little rusty, but sounds like the opposite of additional security.

Another useful piece of information would be HOW the accounts were compromised. Was the user's password actually the word "password" or something simple that even the most juvenile brute force attack could crack it? Did they log into their Facebook account from a public computer which likely had a keylogger on it?

I know this article isn't really finding fault with Facebook for these findings, but holding them responsible at all is a bit ridiculous. This is 2011, Internet access has been mainstream for some time now. People need to learn how to protect their online assets without being forced to by ridiculous password complexity rules.

I guarantee your account will never be brute force attacked or guessed if you make it, "1l3rnedH0wt0cre4t3SecureP@ssw0rd5"

Definitely have had Trusted Friends under my account settings for a few days, if not longer. Noticed it the other day under Account Settings -> Security Settings. Requires a minimum of 3 friends selected to even use the feature, so I assume you need the code from each friend to access your account back.

This is pretty important, though if the analyst is correct and the definition is a baseline, "Account that has had spam sent from it", the number of false positives is probably really low. That would suggest that the real number of compromised accounts is actually more than 600 000.

Exactly my thoughts. Context is everything and I always take these claims with a grain of salt.

200+/- million compromised accts per year - that's about 2/3 of the US population having their accts compromised every year

ConfusedAsHell wrote:

21% of all Facebook users will have their accounts compromised this year (0.06% * 365 days). You have a 1 in 5 chance. Much better than a lottery.

FAIL (is that screen name ironic or what?)

Uh, guys. NOT compromised ACCOUNTS, compromised LOGINS. One account logging in 100 times in a day is 100 compromised logins. The same account could be compromised and used for weeks, for thousands of compromised logins per account. Or every day could be roughly the same 100,000 accounts logging in six times.